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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


It is appreciated that the Code of Practice when finalised will cover 
processing under the GDPR and Part 3 of the DPA 2018. However, there 
are times when terminology in relating to these different regimes 
overlap and used inconsistently. 


For instance, reference to processing of personal data under Part 2 of 
the DPA, refers to processing primarily governed by the GDPR. Also 
there is reference to “sensitive personal data” which actually refers to 
personal data undergoing sensitive processing under Part 3 of the DPA. 
Further on page 27 there is reference to sensitive data within the 
meaning of Parts 2 or 3 of the DPA, which is incorrect. It is the GDPR 
that defines “special category personal data” and Part 3 of the DPA 
refers to “sensitive processing”. 


The interchanging of these terms may result in confusion to those 
without an understanding of the data protection legislation. It is 
suggested that terminology should be consistently used and be 
consistent with the legislation that applies to it. 
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Q3 Does the draft code cover the right issues about data sharing? 
Yes 


O No 


Q4 If no, what other issues would you like to be covered in it? 


re 


Q5 Does the draft code contain the right level of detail? 
L] Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


It is suggested that there are some areas in which there should be a 
little more detail. These are in relation to 
the rights and freedoms of children 
the powers of public bodies to share personal data in all forms and 
the inability of the public sector to rely on certain processing 
conditions. 


Rights and Freedoms of Children 
It is suggested that it should be made very clear that the risk to 
children’s interests can be higher than the same processing relating to 


adults as a result of their vulnerability. This means that “high risk” 
scenarios requiring a DPIA are more likely where the processing 
involves the personal data of children. 


The powers to share 

It is suggested that it should be made clearer that the gateways to data 
Sharing can be restricted by other laws. These restrictions can be 
contained within the legislation providing the gateway but are more 
likely to be external. This is referred to in relation to human rights but 
this strikes at the power of the public body rather than a data protection 
issue. However, there are others such as the Common Law Duty of 
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Confidentiality and/or the Law of Privacy (as referred to in Scots law 
although there are counterparts within English law). 


However, by failing to link the often external restrictions on the use of 
gateways mentioned previously in relation to the paragraph “What is 
the purpose of the data sharing initiative” when referring to the 
public sector and the layout of the section entitled “Other legal 
requirements”, may not reflect their fundamental importance to the 
purposes of data sharing. For instance, the sharing of personal data of 
children in relation to “welfare” concerns (note these concerns do not 
amount to the severity of matters that would be viewed as being child 
protection issues). Even with a potentially usable legal basis for this 
processing set down in the DPA 2018, the issue of human rights issues 
do not allow a public authority to use the gateways provided (see the 
Christian Institute Supreme Court decision). 


It is suggested that it is stressed in the draft Code on Page 60 that non- 
compliance with the HRA or other laws such as the common law duties 
mentioned previously will always breach the lawful data protection 
principle. 


As an aside, it is suggested that the Code of Practice should refer to the 
Laws of Privacy developing in both jurisdictions as a correlation to the 
Common Law Duty of Confidentiality. 


Processing conditions 


It is suggested that in the section relating to the public sector and data 
Sharing that the (potential) inability to rely on the legal bases of 
processing for consent (Recital 43 of the GDPR) and legitimate interests 
(Article 6(1) of the GDPR) should contain specific reference to these 
issues in relation to having a legal basis for data sharing. 


It is suggested that the Code re-iterate matters that have been referred 
to elsewhere in the Code so for instance in the section relating to Data 
Sharing Agreement there is reference to inclusion of a model consent 
form. It is suggested that this reference should be qualified to include 
the inability of the public sector to rely on consent so that a consistent 
message is being provided. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 
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[1 Yes 


K No 


Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


It is suggested that the idea of Data Trusts is a new concept that can 
provide for the safe sharing of personal data etc. for the purposes of 
research etc. The ODI have referred to examples of where this could be 
useful - such as the Kent Integrated Data Set. This data set appears to 
be referred to in the example provided on page 101 of the draft Code. 
However, it is suggested that it is relevant to state that the risks arising 
from that sharing have been reduced by other measures such as 
pseudonymisation carried out in the dataset. Experience has shown that 
this governance measure tends to be overlooked when creating such 
datasets. 


It is suggested that pseudonymisation through the use of Data Trusts 


could be referred to in relation to the question “Could we achieve the 
objective without sharing the data or buy anonymising it?” In fact, it 
may be relevant to include specific reference to pseudonymisation 
rather than anonymisation as an option to facilitate data sharing. 


In the section relating to Data Sharing Agreements the Commissioner 
states that such agreements should be “regularly” reviewed. It is 
appreciated that how often this means will depend upon the sharing 
concerned. However, it ,ay be useful for the Commissioner to consider 
some guidance as to how to approach the determination of the review 
periods. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[| Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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It is possibly a minor point but it is suggested that there is more 
emphasis based upon the use of pseudonymisation and/or the use of 
Data Trusts in respect of data sharing for research and related projects. 


In relation to the section on Data sharing agreements, there is a 
concern that following the Code as it stands in relation to the content of 
such agreements may be viewed as over prescriptive. It is appreciated 
that the references to content are referred to as being “helpful” but it is 
highly likely that in order to be protected that controllers will follow the 
guidance strictly. It is suggested that the Commissioner consider a 
possibility of the information described being set down in a separate 
document such as the DPIA. 


Q1ii Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


[| Yes 


K No 


Q12 If no, in what way does the draft code fail to strike this balance? 


There is a risk that the purpose of the data sharing can be assumed as 
outweighing the rights and interests of data subjects - this is potentially 
more prevalent in the public sector “in the public interest”. 


It is suggested that there be further explanation as to what is meant by 
“adverse” effects. It is suggested that in terms of the GDPR, adverse 


effects may not have a particularly level of harm - and could include 
unhappiness about the personal data being used (similar to the level of 
detriment in relation to the Common Law Duty of Confidentiality — 
disclosure to someone to whom the data subject would not want it 
disclosed). Including this clarification should mean that proper 
consideration of such matters are taken into account in relation to data 
sharing. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[| Yes 


K No 
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Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


It is suggested that there should be a scenario that reflects the 
interaction between laws that may prevent data sharing and their effect 
upon the lawfulness data protection principal. This scenario does not 
need to result in the refusal to share personal data but show how these 


matters are important to considerations regarding data sharing. 


The most obvious scenario would be the use of a Data Trust for 
research etc. purposes 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


O Strongly agree 
Agree 
O Neither agree nor disagree 
L Disagree 
LO Strongly disagree 

Q16 Are you answering as: 


O An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


South Lanarkshire Council 


Thank you for taking the time to share your views and experience. 


